Buy

Privileged Access Attack Surface

The attack surface is vast - it is your entire foundational Active Directory.

At 85% of all organizations worldwide, the entirety of an organization's building blocks of cyber security i.e. all privileged user and employee accounts and passwords, all computer accounts and all security groups lie inside Active Directory.

Should any one of these privileged or employee domain user accounts, computer accounts or security groups be compromised, the attacker could instantly gain access to all IT assets to which the compromised account or group has access.

Consider This

Consider This

At most organizations, today the focus of privileged access management and privileged user identification is on identifying local administrative accounts on organizational computers.

In reality, the actual attack surface is substantially vast, resides in Active Directory (AD) and remains neglected and vulnerable.


Consider this -

  1. Compromise of a local admin account on a machine could at most* impact security of resources on that machine.

  2. Compromise of an AD delegated admin account could impact security of thousands of resources domain-wide.

  3. Compromise of an AD privileged user with unrestricted access could impact security of all resources domain-wide.


So, who's more powerful, a local admin on a machine, or a user with delegated or unrestricted admin access in AD?

Top-10 Active Directory Targets

Top-10 Priority Targets


The following are the Top-10 priority targets in Active Directory that perpetrators seek to compromise -

  1. Active Directory Privileged Accounts

  2. Active Directory Privileged Groups

  3. Active Directory Delegated Accounts and Groups

  4. Specific Active Directory Objects/Content

  5. Widely Used Domain Security Groups

  6. Executive Domain User Accounts and Groups

  7. High-Value / Specific Interest Domain Security Groups

  8. High-Value / Specific Interest Domain User Accounts

  9. High-Value / Specific Interest Active Directory Objects

  10. Local Administrator and Service Accounts on Computers

Active Directory Privileged Accounts

Target #1 - Active Directory Privileged Accounts

The most high-value targets in a Windows Server based network are the user accounts of IT personnel that have unrestricted administrative/privileged access in Active Directory.

Examples include the default Administrator account in Active Directory, all members of default AD privileged groups (such as Domain Admins) and all Domain Admin Equivalent Privileged Users.

The compromise of a single such account grants a perpetrator sufficient privilege to compromise the entire organization.

Like ordinary accounts, these accounts too reside in Active Directory, and are protected by Active Directory permissions.

Any account that can reset the password of these accounts, take ownership or modify permissions on them is equally privileged, and all such accounts must also be considered privileged.

Thus, all such privileged accounts, and all accounts that can manage all such accounts, are extremely valuable targets.

Active Directory Privileged Groups

Target #2 - Active Directory Privileged Groups

The 2nd most high-value targets in Windows Server based networks are domain security groups that have unrestricted administrative/privileged access in Active Directory.

The compromise of a single such group grants a perpetrator sufficient privilege to compromise the entire organization.

Examples include all default Active Directory privileged groups such as Domain Admins, Enterprise Admins, Schema Admins, as well as any groups that can directly or indirectly manage or control privileged accounts and groups in Active Directory.

Thus, all such powerful domain security groups are top targets.

Like ordinary groups, these groups too reside in Active Directory, and are protected by Active Directory permissions.

Further, all accounts that can change the membership of these groups, take ownership or modify permissions protecting them are equally privileged, and are equally lucrative targets.

Delegated Accounts and Groups in Active Directory

Target #3 - Delegated Accounts and Groups in Active Directory

The 3rd most high-value targets in Windows Server based networks are domain user accounts and security groups that have been delegated administrative access in Active Directory.

The compromise of a single such account or group could grant a perpetrator vast privileges across the network.

Here are merely 3 such specific examples -

  1. Users with Reset password effective permissions, OU or domain-wide, could reset the password of most accounts.

  2. Users with Write-Property Member effective permissions OU/domain-wide, could control most group memberships.

  3. Users with Modify Permissions effective permissions OU or domain-wide, could obtain privileged access on any domain user account, security group or domain-joined host.


Thus delegated privileged user accounts also possess vast system-wide privileged access and are high-priority targets.

Specific Active Directory Objects

Target #4 - Specific Active Directory Objects/Content

The 4th most high-value targets in Windows Server based networks are specific objects inside the Active Directory.

Sufficient access on these Active Directory objects could grant a perpetrator privileges to compromise the entire IT infrastructure.

Here are merely 3 such specific examples -

  1. Anyone who has Get Replication Changes and Get Replication Changes All effective permissions on the domain root object could use Mimikatz DCSync to instantly compromise everyone's passwords.

  2. Anyone who has Modify Permissions effective permissions on the AdminSDHolder object could obtain control over all default AD privileged users and accounts.

  3. Anyone who has Modify Permissions effective permissions on any large Organizational Unit (OU) could obtain control over all user accounts, computers and security groups in it.


Thus, all such sensitive Active Directory objects are key targets.

Widely used Domain Security Groups

Target #5 - Widely Used Domain Security Groups

The 5th most high-value targets in Windows Server based networks are Active Directory (domain) security groups that are widely used to provision access to IT assets across the network.

If a perpetrator could modify the group membership of such a group, he/she could instantly and effortlessly obtain access to all IT assets to which that group has access.

For example, any account with Write-Property Member effective permissions on the All Employees group or the Secret Project X group in Active Directory, could instantly obtain access to all IT assets (, possibly to thousands of files on file servers,) to which any of these groups have been granted any type of access.

Thus, all domain security groups that are widely used to provision access to resources across the network, are targets.

Executive Domain User Accounts and Groups

Target #6 - Executive Domain User Accounts and Groups

The 6th most high-value targets in Windows Server based networks are executive domain user accounts and groups.

The compromise of a single such account or group could grant a perpetrator access to sensitive highly confidential information.

For instance, anyone who has effective permissions to reset the password of the domain user account of an organization's CEO, CFO, CIO or CISO, could reset their password and login as them to read their email and access all IT assets they have access to.

Similarly, anyone who has effective permissions to change the membership of the Executives domain security group in Active Directory could change its membership and obtain access to all confidential/sensitive IT assets to which that group has access.

Thus, by virtue of their role and access to sensitive data, executive accounts and groups in AD are high-value targets.

High-Value / Specific Interest Domain Security Groups

Target #7 - High-Value / Specific Interest Groups

The 7th most high-value targets are high-value / specific interest Active Directory (domain) security groups that control access to one or more highly sensitive IT resources on the network.

For example, consider that at a software company, an Active Directory security group called Source-Code Access is being used to protect, grant and control access to the company's highly-confidential source code.

If a perpetrator could (obtain sufficient effective permissions to) modify the membership of this one single high-value group in Active Directory, he/she could circumvent all existing (physical, system and network) layers of security, and instantly and effortlessly gain access to the entire source-code.

Thus, all such specific interest Active Directory (domain) security groups are valuable intermediate targets.

High-Value / Specific Interest Domain User Accounts

Target #8 - High-Value / Specific Interest Accounts

The 8th most high-value targets are high-value / specific interest Active Directory (domain) user accounts that have access to one or more highly sensitive IT resources on the network.

For example, consider the high-value, default krbtgt domain account which exists in every Active Directory domain. Should a perpetrator be able to reset its password, or gain control over it, he/she could become anyone, anytime.

As another example, consider that at a bank, a manager John Doe's domain user account has access to the system (e.g. a software password vault) from which to obtain the daily access-codes required to gain access to the bank's vault.

If perpetrators could (obtain sufficient effective permissions to) reset the password of this one single account in Active Directory, they could instantly login as him and obtain the daily access-codes required to gain access to the bank's vault.

Thus, such domain accounts are often intermediate targets for perpetrators seeking to compromise specific IT assets.

High-Value / Specific Interest Active Directory Objects

Target #9 - High-Value / Specific Interest Active Directory Objects

The 9th most high-value targets in a Windows Server based network are specific high-value Active Directory objects.

For example, consider that at an organization, a critical cloud synchronization solution or an endpoint-protection cyber security solution has been deployed, and it publishes service connection points (SCPs) in Active Directory so that its clients can query Active Directory for these SCPs to locate service instances, get tenant or identifier information etc.

If a perpetrator had sufficient effective permissions, he/she could modify the Keywords attribute on SCPs in Active Directory that are used by this cloud synchronization solution or endpoint-security solution, instantly causing a service disruption, and/or disabling protection on thousands of endpoints and leaving them vulnerable to compromise.

Thus, specific interest Active Directory objects such as SCPs can be targeted by perpetrators to disrupt services.

Local Administrator and Service Accounts on Computers

Target #10 - Local Administrator and Service Accounts on Computers

The least high-value targets in a Windows Server network are local administrator and service accounts on computers.

Contrary to popular belief, these accounts are NOT at all the most privileged user accounts in a Windows network.

The simple reason for this is that in most cases, the impact of their compromise is restricted to the compromise of at most those IT assets that are locally stored on such computers.

Nonetheless, by definition, every computer has an administrator account, unauthorized access to which could grant a perpetrator complete control over that computer, and thus perpetrators do often try to gain a foothold in a network by compromising such local administrator accounts on domain-joined machines.

Thus, relative to Active Directory privileged/admin accounts, local admin and service accounts on domain-joined hosts have substantially less privilege, and are generally targeted by novice perpetrators.

Active Directory Privilege Escalation

Active Directory
Privilege Escalation

Within every organization's Active Directory lie the entirety of their domain user accounts (including those of privileged users), computer accounts and security groups, each protected by an Active Directory access control list (ACL.)

Within these Active Directory ACLs lie security permissions that allow or deny access to various users and groups, and together thousands of such permissions collectively and effectively determine who actually has access to what in Active Directory.

Active Directory lacks the ability to help organizations accurately determine effective access, and thus organizations have no idea who actually has what privileged access in Active Directory.

Organizations have been provisioning access in Active Directory for years, without any accurate insight, resulting in a massive amount of excessive access, that has paved thousands of privilege escalation paths, which can be easily exploited.


Our Global Customers

  • Australian Government
  • United States Treasury
  • British Government
  • Government of Canada
  • British Petroleum
  • Ernst and Young
  • Saudi Arabian Monetary Agency
  • Juniper Networks
  • U.S. Department of Defense
  • Microsoft Corporation
  • United Nations
  • Quantium
  • Nestle
  • IBM Corporation
  • U.S. Federal Aviation Administration
  • Columbia University

Your Privacy

We use cookies to provide you the best online experience. Please let us know if you accept these cookies.